GDPR compliance checklist for US companies processing EU personal data

The General Data Protection Regulation (GDPR) applies to US companies that process personal data of individuals in the European Economic Area (EEA), regardless of where the company is headquartered. Territorial scope under Article 3 covers organizations offering goods or services to EEA data subjects or monitoring their behavior.

Common triggers for US companies include: marketing to EU customers, providing SaaS platforms used by EU businesses, employing EU residents, processing EU customer support data, and using analytics or advertising technologies that track EEA visitors. Physical presence in the EU is not required.

GDPR enforcement against US companies is active. Supervisory authorities in the EU and UK have issued fines against US technology firms, and data protection authorities coordinate through the European Data Protection Board. US GRC teams should treat GDPR as a binding obligation, not a European-only concern.

Article 30 requires organizations with 250 or more employees, or those processing high-risk data, to maintain Records of Processing Activities (RoPA). Even smaller US companies benefit from RoPA as the foundation for all other GDPR compliance activities.

Document each processing activity: what personal data is collected, purposes of processing, legal bases, data categories, recipient categories, retention periods, and cross-border transfer mechanisms. Include data processed by subprocessors and third-party integrations.

GRC teams should conduct a data inventory across product, marketing, HR, finance, and customer support functions. Personal data often exists in systems GRC teams do not initially consider: analytics platforms, email marketing tools, applicant tracking systems, and customer success platforms.

• Inventory all systems processing EEA personal data
• Document processing purposes and legal bases for each activity
• Identify subprocessors and cross-border data flows
• Define retention periods and deletion procedures

Every processing activity requires a lawful basis under Article 6: consent, contract performance, legal obligation, vital interests, public task, or legitimate interests. US companies frequently over-rely on consent when contract performance or legitimate interests may be more appropriate and sustainable.

Privacy notices must be transparent, accessible, and written in plain language. Article 13 and 14 specify required content: controller identity, DPO contact details, processing purposes, legal bases, retention periods, data subject rights, and cross-border transfer information.

Update privacy policies, cookie notices, and in-product disclosures to meet GDPR transparency requirements. US-style privacy policies that bury data practices in legal jargon may not satisfy GDPR's plain language standard.

GDPR grants data subjects eight rights: access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making. US companies must establish procedures to receive, verify, and respond to requests within one month.

Build a Data Subject Access Request (DSAR) intake process with identity verification, request logging, and cross-functional workflow. Engineering, customer support, and legal should understand their roles in fulfilling requests within the statutory timeline.

Document response templates for common request types and maintain an audit trail of all DSAR handling. Supervisory authorities may request evidence of your DSAR process during investigations.

Transferring EEA personal data to the US requires a valid transfer mechanism under Chapter V. Following the Schrems II decision and the EU-US Data Privacy Framework, US companies have several options: adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or explicit consent for specific transfers.

US companies certified under the EU-US Data Privacy Framework (DPF) benefit from an adequacy determination for transfers to certified entities. Organizations not DPF-certified should implement SCCs with supplementary measures where needed, following EDPB guidance on transfer impact assessments.

Maintain a transfer register documenting each cross-border flow, the mechanism used, and the assessment supporting that mechanism. Update transfer mechanisms when subprocessors change or when adequacy decisions are invalidated.

Article 28 requires written Data Processing Agreements (DPAs) with every processor handling personal data on your behalf. DPAs must specify processing instructions, confidentiality obligations, subprocessor authorization, audit rights, and breach notification requirements.

US companies typically rely on dozens of subprocessors: cloud infrastructure, email services, analytics, payment processors, and customer support tools. GRC teams should maintain a subprocessor register and ensure DPAs are executed before processing begins.

Review subprocessor security practices as part of vendor due diligence. GDPR Article 28(1) requires that processors provide sufficient guarantees of appropriate technical and organizational measures.

Article 32 requires appropriate technical and organizational measures based on processing risk. For most US SaaS companies, this includes encryption at rest and in transit, access controls, logging, vulnerability management, and incident response procedures.

Article 33 mandates breach notification to the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in risk to data subjects. Article 34 requires notification to affected data subjects when the breach poses high risk.

Establish a breach response plan that includes GDPR-specific notification timelines alongside your general incident response process. Pre-identify your lead supervisory authority if you have an EU establishment, or document your main establishment determination for organizations without EU presence.